Petya ransomware: Where it comes from and how to protect yourself

The Petya ransomware attack that crippled computers in 64 countries worldwide was spread by accounting software, according to Microsoft, highlighting the dangers posed by compromised third-party apps.

The outbreak started in Ukraine, where more than 12,500 machines were infected, and there is now evidence this new Petya malware variant was initially spread via an updater for the tax accounting software MEDoc.

Another software supply chain attack earlier this year compromised an updater for a third-party editing tool used across multiple firms, Microsoft said, describing this approach as "a silent yet effective attack vector".

A large number of organizations were infected, many in Ukraine, including Danish transport company Maersk, Russian oil firm Rosneft, the Kiev metro system, National Bank of Ukraine, the law firm DLA Piper, US pharmaceutical company Merck and many others.

How to protect yourself

Once the ransomware infects a machine, it then attempts to spread itself to other PCs on the network. To propagate itself, it will try to steal credentials to gain local admin privileges, attempt to use file-shares to transfer the malicious file between PCs, and then remotely execute the file. The ransomware encrypts entire hard drives and demands a Bitcoin payment of $300 to release them.

The malware can also spread itself using the EternalBlue exploit for an SMB vulnerability, which was used by WannaCry to spread between machines. The vulnerability was patched by Microsoft in March this year.